[openstack-dev] [OSSG] Best tool for simple security gate checks

Duncan Thomas duncan.thomas at gmail.com
Thu Jun 19 18:38:32 UTC 2014

On 19 June 2014 19:21, Travis McPeak <Travis_McPeak at symantec.com> wrote:
> Hi all,
> In the OpenStack Security Group (OSSG) we¹ve been kicking around the idea
> of getting some simple non-blocking security-related gate tests going.
> These tests would be designed to be simple and automated checks for
> low-hanging fruit such as the use of ŒShell=True¹.  The main goal is to
> have these be as noiseless as possible (a low rate of false positives).
> The hope is that if these are useful and unobtrusive enough, when they
> actually do fail, people will take note.
> We will start off small, with maybe one simple gate test, and expand later
> if it proves to be useful.  We plan to test heavily internally, and then
> start requesting integration into projects later.
> My question is: what is the best tool for the job?  I have heard Pylint
> and Hacking mentioned.  Are there any others?

Changes to hacking is probably what you want since what you're aiming
for at the moment can be done by regex... you might want to write
something that consumes the python AST directly to do smarter things,
but that's far, far more work

More information about the OpenStack-dev mailing list